Matthias Reinholz

Detecting WordPress and WooCommerce on Websites

I recently needed to reliably and automatically detect if websites have WordPress and WooCommerce installed. This guide provides detailed, practical steps for identifying WordPress and WooCommerce installations across websites, incorporating both standard and advanced detection techniques.

TLDR;
The Condensed Checklist

This condensed checklist is a summary of what you can do to identify WordPress and WooCommerce:

WordPress Detection

  • HTML source: /wp-content/, /wp-includes/, meta generator tags
  • Cookies: wordpress_logged_in_, wp-settings-
  • Headers: Link with wp-json, X-WP-Total
  • API: /wp-json/, /xmlrpc.php, /wp-cron.php
  • Feeds: /feed/, /comments/feed/
  • Login pages: /wp-login.php, /wp-admin/
  • Exposed files: wp-cli.phar, readme.txt

WooCommerce Detection

  • Plugin paths: /woocommerce/assets/
  • CSS classes: woocommerce, wc-block-
  • Scripts: wc_add_to_cart_params, wc_checkout_params
  • API: /wp-json/wc/v3/, /wc/store/, /wc-analytics/
  • HTML: Schema.org/Product, checkout form inputs
  • Cookies/local storage: woocommerce_cart_hash, wc_ keys
  • Headless clues: GraphQL WooCommerce, frontend framework markers

Bash Script to Detect WordPress and WooCommerce

Here’s a little bash script to check if WordPress and WooCommerce are installed on a URL:

#!/bin/bash

read -p "Enter the URL (e.g., https://example.com): " URL
echo "Checking $URL ..."
URL="${URL%/}" # Remove trailing slash

TMP_HTML=$(mktemp)
TMP_HEADERS=$(mktemp)

# Fetch HTML and headers
curl -sL "$URL" -D "$TMP_HEADERS" -o "$TMP_HTML"

# Flags and reasons
IS_WP=false
IS_WP_STRONG=false
WP_REASONS=()
WP_MISSING_STRONG=()

IS_WC=false
IS_WC_STRONG=false
WC_REASONS=()
WC_MISSING_STRONG=()

# -- WordPress Strong Indicators --

# 1. wp-json Link header
if grep -iq "Link:.*wp-json" "$TMP_HEADERS"; then
  echo "[+] wp-json found in Link header"
  IS_WP=true
  IS_WP_STRONG=true
else
  WP_MISSING_STRONG+=("wp-json link header not found")
fi

# 2. /wp-json API
WP_JSON=$(curl -s "$URL/wp-json/")
if echo "$WP_JSON" | grep -q '"name":\|wordpress'; then
  echo "[+] WordPress REST API found at /wp-json/"
  IS_WP=true
  IS_WP_STRONG=true
else
  WP_MISSING_STRONG+=("/wp-json/ does not return WordPress data")
fi

# 3. /wp-login.php
LOGIN_PAGE=$(curl -s "$URL/wp-login.php")
if echo "$LOGIN_PAGE" | grep -q "wp-submit"; then
  echo "[+] WordPress login form found"
  IS_WP=true
  IS_WP_STRONG=true
else
  WP_MISSING_STRONG+=("/wp-login.php does not match default login form")
fi

# -- WordPress Medium Indicators --

if [ "$IS_WP_STRONG" = false ]; then
  if grep -qE "/wp-content/|/wp-includes/" "$TMP_HTML"; then
    echo "[~] WordPress paths found in HTML"
    IS_WP=true
    WP_REASONS+=("found /wp-content/ or /wp-includes/ in HTML")
  fi
  if grep -q '<meta name="generator" content="WordPress' "$TMP_HTML"; then
    echo "[~] WordPress generator tag found"
    IS_WP=true
    WP_REASONS+=("meta generator tag says WordPress")
  fi
  if grep -qi "Set-Cookie:.*wordpress_logged_in" "$TMP_HEADERS"; then
    echo "[~] WordPress cookie found"
    IS_WP=true
    WP_REASONS+=("cookie with wordpress_logged_in found")
  fi
  if curl -s "$URL/feed/" | grep -q "<generator>https://wordpress.org"; then
    echo "[~] WordPress RSS feed found"
    IS_WP=true
    WP_REASONS+=("RSS feed generated by WordPress")
  fi
fi

# -- WooCommerce Strong Indicators --

# 1. Store API
WC_JSON=$(curl -s "$URL/wp-json/wc/store/")
if echo "$WC_JSON" | grep -q "products"; then
  echo "[+] WooCommerce Store API found"
  IS_WC=true
  IS_WC_STRONG=true
else
  WC_MISSING_STRONG+=("WooCommerce Store API not available or empty")
fi

# 2. JS object
if grep -q "wc_add_to_cart_params" "$TMP_HTML"; then
  echo "[+] wc_add_to_cart_params found"
  IS_WC=true
  IS_WC_STRONG=true
else
  WC_MISSING_STRONG+=("wc_add_to_cart_params not found in HTML")
fi

# 3. Plugin path
if grep -q "/wp-content/plugins/woocommerce/" "$TMP_HTML"; then
  echo "[+] WooCommerce plugin path found"
  IS_WC=true
  IS_WC_STRONG=true
else
  WC_MISSING_STRONG+=("WooCommerce plugin path not found in HTML")
fi

# 4. Cookie
if grep -qi "Set-Cookie:.*woocommerce_cart_hash" "$TMP_HEADERS"; then
  echo "[+] WooCommerce cookie found"
  IS_WC=true
  IS_WC_STRONG=true
else
  WC_MISSING_STRONG+=("WooCommerce cookie not set")
fi

# -- WooCommerce Medium Indicators --

if [ "$IS_WC_STRONG" = false ]; then
  if grep -qE "woocommerce|wc-block-" "$TMP_HTML"; then
    echo "[~] WooCommerce-related classes found"
    IS_WC=true
    WC_REASONS+=("WooCommerce-related CSS classes found")
  fi
  if curl -s "$URL/cart/" | grep -q "cart[quantity]"; then
    echo "[~] WooCommerce cart page structure found"
    IS_WC=true
    WC_REASONS+=("cart form structure matches WooCommerce")
  fi
  if curl -s "$URL/my-account/" | grep -q "woocommerce-MyAccount"; then
    echo "[~] WooCommerce account page found"
    IS_WC=true
    WC_REASONS+=("account page layout matches WooCommerce")
  fi
fi

# -- Summary --

echo
echo "=== Detection Summary ==="

# WordPress summary
if [ "$IS_WP" = true ]; then
  if [ "$IS_WP_STRONG" = true ]; then
    echo "✅ WordPress detected (strong evidence)"
  else
    echo "⚠️ WordPress detected (moderate confidence)"
    echo "    Found:"
    for reason in "${WP_REASONS[@]}"; do echo "      - $reason"; done
    echo "    Missing strong indicators:"
    for miss in "${WP_MISSING_STRONG[@]}"; do echo "      - $miss"; done
  fi
else
  echo "❌ WordPress not detected"
fi

# WooCommerce summary
if [ "$IS_WC" = true ]; then
  if [ "$IS_WC_STRONG" = true ]; then
    echo "✅ WooCommerce detected (strong evidence)"
  else
    echo "⚠️ WooCommerce detected (moderate confidence)"
    echo "    Found:"
    for reason in "${WC_REASONS[@]}"; do echo "      - $reason"; done
    echo "    Missing strong indicators:"
    for miss in "${WC_MISSING_STRONG[@]}"; do echo "      - $miss"; done
  fi
else
  echo "❌ WooCommerce not detected"
fi

# Clean up
rm "$TMP_HTML" "$TMP_HEADERS"

WordPress Detection Methods

This is a more comprehensive list of methods to detect WordPress when you examine a website.

1. HTML Source Analysis

Implementation Details:

  • WordPress Core Path Detection
  • Meta Generator Tag Inspection
    • Look for WordPress generator meta tags in the <head> section
    • Example pattern: <meta name=”generator” content=”WordPress 6.4.2″>
    • Parse version information if available for further validation
  • Theme and Plugin Footprints
    • Identify theme paths: /wp-content/themes/[theme-name]/
    • Look for plugin references: /wp-content/plugins/[plugin-name]/
    • Search for WordPress-specific comment structures in HTML source
  • Script and Style Enqueuing Patterns
    • WordPress adds specific query parameters to scripts and styles
    • Look for patterns like ?ver=6.4.2 appended to CSS/JS files
  • Full Site Editing (FSE) Block Patterns
    • Check for block-specific patterns like /block-templates/
    • Look for HTML comments: <!– wp:core/ or <!– wp:template-part/
    • Identify FSE-specific theme.json references

2. HTTP Headers Examination

Implementation Details:

  • WordPress Cookie Detection
    • Make a request to the site and inspect response cookies
    • Look for WordPress-specific cookies such as:
      • wordpress_logged_in_[hash]
      • wordpress_test_cookie
      • wp-settings-[id]
      • wp-settings-time-[id]
  • Link Header Analysis
  • REST API-Specific Headers
    • Look for pagination headers: X-WP-Total and X-WP-TotalPages
    • These appear only in REST API responses from WordPress
    • Highly definitive indicators when present
  • Server and X-Powered-By Headers
    • While not definitive, some hosts reveal information
    • Look for WordPress-specific hosting signatures

3. API Endpoint Probing

Implementation Details:

  • REST API Validation
    • Make a GET request to /wp-json/ or /index.php?rest_route=/
    • Verify response contains WordPress identifiers
    • Example response content: {“name”:”Site Name”,”description”:”Just another WordPress site”}
    • Check for specific fields like name, url, description, gmt_offset
  • GraphQL Endpoint Testing
    • Check for /graphql endpoint
    • Try an introspection query to identify WordPress schemas
    • Look for WordPress-specific types in GraphQL schema
  • XMLRPC Availability Test
    • Send a HEAD or OPTIONS request to /xmlrpc.php
    • Even if disabled, this file’s presence indicates WordPress
    • A 405 Method Not Allowed response is a strong WordPress indicator
  • WP Cron Detection
    • Test for the existence of /wp-cron.php
    • While access may be restricted, its presence is a WordPress signature
  • Admin AJAX Endpoint
    • Check for /wp-admin/admin-ajax.php
    • This file is almost exclusively found in WordPress installations

4. Feed Structure Analysis

Implementation Details:

  • RSS/Atom Feed Examination
  • Comment Feed Inspection
    • Fetch /comments/feed/
    • WordPress has a distinctive comment feed format
    • Check for WordPress-specific XML namespaces

5. Login Page Analysis

Implementation Details:

  • Login Path Verification
    • Check for existence of /wp-login.php or /wp-admin/
    • Examine login page HTML for WordPress-specific elements
    • Look for CSS classes like login login-action-login wp-core-ui
  • Password Reset Page
    • Test /wp-login.php?action=lostpassword
    • WordPress has a distinctive password recovery flow

6. JavaScript Environment Inspection

Implementation Details:

  • Global WordPress Objects
    • Look for WordPress-specific JavaScript objects
    • Check for variables like wp.api, wp.blocks, wp.media
    • These are definitive indicators of WordPress
  • Inline Script Analysis
    • Examine wp-config.php constants if accidentally exposed
    • Look for WordPress localized script data: var wpApiSettings

7. Specialized Configuration Files

Implementation Details:

  • WP CLI Files
    • Check for exposed WP-CLI files: /wp-cli.phar
    • Look for .wp-cli.yml configuration files
    • These are rare but definitive when found
  • WordPress-Specific Directories
    • Test for .well-known/security.txt with WordPress references
    • Check for misconfigured backup directories with WordPress files
    • Look for version control artifacts: .git folders with WordPress content

8. Error Page Analysis

Implementation Details:

  • WordPress-Specific Error Pages
    • Analyze 404 and 500 error page structure
    • Look for WordPress theme wrappers around error messages
    • Check for “Error establishing a database connection” with WordPress formatting
    • Note: Only analyze errors that occur naturally; don’t deliberately cause them

WooCommerce Detection Methods

1. Static Resource Detection

Implementation Details:

  • Plugin Directory Validation
    • Search HTML for references to /wp-content/plugins/woocommerce/
    • Look for WooCommerce asset paths like:
      • /wp-content/plugins/woocommerce/assets/css/woocommerce.css
      • /wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js
  • CSS Class Identification
    • Search for WooCommerce-specific classes:
      • woocommerce, woocommerce-page
      • product, products
      • shop_table, cart, checkout
      • wc-block- prefixed classes for Gutenberg blocks
  • Script Analysis
    • Look for WooCommerce JavaScript objects:
      • window.wc_add_to_cart_params
      • wc_cart_fragments_params
      • woocommerce_params
      • wc_checkout_params
    • Search for woocommerce.js or wc-* prefixed script files

2. HTTP Header Inspection

Implementation Details:

  • WooCommerce-Specific Headers
    • Look for X-WooCommerce-Session in response headers
    • Check for WooCommerce API authentication headers
    • Identify WooCommerce-specific caching headers
  • Cookie Examination
    • Check for WooCommerce-specific cookies:
      • woocommerce_cart_hash
      • woocommerce_items_in_cart
      • wp_woocommerce_session_

3. Specific Page Patterns

Implementation Details:

  • Shop Page Detection
    • Check for /shop/, /store/, or /products/ URLs
    • Look for WooCommerce-specific page structures
    • Identify product grid or list layouts with distinctive classes
  • Cart and Checkout Pages
    • Test the existence of /cart/ and /checkout/ endpoints
    • Verify these pages contain WooCommerce-specific elements
    • Look for cart forms with input names like cart[quantity]
  • Account Page Structure
    • Check for /my-account/ or /account/ endpoints
    • WooCommerce account pages have distinctive navigation elements
    • Look for specific endpoints like /my-account/orders/
  • Full Site Editing Block Patterns
    • Look for WooCommerce block templates
    • Check for patterns like <!– wp:woocommerce/
    • Identify FSE-specific WooCommerce blocks

4. API Availability

Implementation Details:

  • WooCommerce REST API Testing
    • Make a request to /wp-json/wc/v3/
    • Even if authentication fails, the endpoint existence is telling
    • Check for specific error messages that confirm WooCommerce
  • Store API Testing
    • Try accessing /wp-json/wc/store/
    • This newer API is specific to WooCommerce
    • Look for distinctive response headers or authentication challenges
  • Analytics API Detection
    • Test /wp-json/wc-analytics/
    • This endpoint is exclusive to WooCommerce installations
  • GraphQL WooCommerce Extensions
    • Check for WooCommerce types in GraphQL schema
    • Look for endpoint /graphql with WooCommerce operations
    • Test for WooCommerce-specific query responses

5. HTML Component Analysis

Implementation Details:

  • Product Schema Detection
    • Search for WooCommerce schema markup
    • Look for itemtype=”http://schema.org/Product&#8221; with WooCommerce classes
    • Check for distinctive price, inventory, and product variation markup
  • Cart/Checkout Form Structure
    • WooCommerce forms have specific input names and structures
    • Look for name attributes like billing_first_name, shipping_address_1
    • Check for WooCommerce payment gateway elements
  • WooCommerce Block Detection
    • Search for block-specific HTML comments: <!– wp:woocommerce/
    • Look for elements with wc-block- prefixed classes
    • Check for cart and checkout Gutenberg blocks

6. JavaScript Environment Analysis

Implementation Details:

  • WooCommerce Object Detection
    • Check for global objects like wc_add_to_cart_params
    • Look for WooCommerce-specific event handlers
    • Identify WooCommerce AJAX actions
  • Local Storage Examination
    • WooCommerce often uses browser local storage
    • Look for keys with wc_ prefixes
    • Check for cart fragments in storage

7. Service Worker Detection

Implementation Details:

  • PWA Plugin Identification
    • Check for WooCommerce PWA service worker registration
    • Look for service worker scope covering shop pages
    • Identify PWA-specific caching strategies for product pages
  • Service Worker Script Analysis
    • Examine service worker registration paths
    • Look for WooCommerce-specific caching patterns
    • Check for offline product browsing capabilities

8. Headless Commerce Detection

Implementation Details:

  • Framework Fingerprinting
    • Identify React/Vue/Gatsby classes indicating headless frontend
    • Look for data attributes suggesting external API consumption
    • Check for frontend state management patterns typical in headless setups
  • API Consumption Patterns
    • Examine API calls to identify headless WooCommerce usage
    • Look for specific headers or authentication patterns
    • Check for WooCommerce REST API consumption from JavaScript

Advanced Detection Techniques

1. Heuristic Scoring System

Implementation Details:

  • Assign confidence scores to each detection method
  • Combine multiple indicators for higher confidence
  • Example scoring:
    • Strong indicators (API endpoints): 40 points each
    • Medium indicators (plugin paths): 20 points each
    • Weak indicators (CSS classes): 10 points each
    • Site is WordPress/WooCommerce if cumulative score > 50

2. Version Fingerprinting

Implementation Details:

  • Extract version numbers from script and style URLs
  • Look for version comments in HTML source
  • Compare hash signatures of core files against known versions
  • Check readme.txt or readme.html if accessible

3. Plugin Ecosystem Analysis

Implementation Details:

  • Identify additional plugins commonly used with WooCommerce
    • Look for WooCommerce extensions: /wp-content/plugins/woocommerce-
    • Check for payment gateway plugins
    • Identify shipping method plugins
  • Create signatures for common plugins for further verification

4. Multi-Stage Detection Pipeline

Implementation Details:

  • Implement a staged detection approach:
    1. Start with non-intrusive checks (HTML, headers)
    2. Proceed to targeted endpoint probing if initial checks are positive
    3. Perform deep analysis only when preliminary indicators are found
    4. Conduct advanced checks only when necessary for confirmation

5. Combined WordPress and WooCommerce Confidence

Implementation Details:

  • First establish WordPress detection confidence
  • Only proceed with WooCommerce checks if WordPress confidence is high
  • Calculate separate confidence scores for WordPress and WooCommerce
  • Combine scores with appropriate weighting for overall e-commerce detection

Implementation Best Practices

1. Ethical Considerations

Implementation Details:

  • Always check and respect robots.txt directives
  • Implement rate limiting to prevent server overload
  • Use appropriate user-agent strings identifying your crawler
  • Consider implementing a crawl delay between requests
  • Never deliberately trigger errors or server issues
  • Avoid aggressive scanning that might impact site performance

2. Error Handling

Implementation Details:

  • Implement timeout handling for all requests
  • Create fallback detection methods if primary ones fail
  • Handle redirects properly (some sites redirect to www or HTTPS)
  • Prepare for IP blocking or CAPTCHA challenges
  • Implement circuit breakers to stop scanning if too many errors occur

3. Performance Optimization

Implementation Details:

  • Start with non-intrusive methods before deeper probing
  • Implement request batching where possible
  • Use conditional logic to skip unnecessary checks
  • Cache detection results with appropriate expiration
  • Prioritize methods by computational efficiency
  • Implement parallel processing for independent detection methods

4. Data Structure

Implementation Details:

  • Create a standardized result format with confidence levels
  • Include detected versions when available
  • Store specific evidence that led to detection conclusions
  • Document false positives/negatives for continuous improvement
  • Maintain a structured log of detection attempts and outcomes

5. Maintenance Strategy

Implementation Details:

  • Keep detection signatures updated for new WordPress/WooCommerce versions
  • Monitor for changes in WordPress core structure
  • Update your detection logic with each major WooCommerce release
  • Implement a feedback mechanism to improve detection accuracy
  • Regularly test against known WordPress/WooCommerce installations
  • Maintain a test suite of diverse WordPress configurations

6. Handling Security Measures

Implementation Details:

  • Be prepared for security plugins that might block scanning
  • Implement progressive fallback strategies when primary methods are blocked
  • Respect security headers (e.g., Content-Security-Policy)
  • Handle CORS restrictions appropriately
  • Avoid triggering Web Application Firewalls (WAFs)

This comprehensive approach provides robust detection across traditional, headless, and modern WordPress/WooCommerce configurations, with appropriate emphasis on ethical implementation and performance optimization.

Posted in:

Comments

Leave a comment